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1 INTEGRATED CIRCUTr COMPRISING ENCRYPTION CIRCUITRY SELECTIVELY 

2 ENABLED BY VERIFYING A DEVICE 

3 

4 BACKGROUND OF THE INVENTION 

5 Field of the Invention 

6 The present invention relates to encryption circuitry. More particularly, the present 

7 invention relates to an integrated circuit comprising encryption circuitry selectively enabled by 

8 verifying a device. 

9 Description of the Prior Art 

10 Crypto systems are typically secure as long as attackers cannot discover the secret keys 

1 1 used to encrypt and decrypt messages. Attackers use various cryptanalysis techniques to analyze 

12 a crypto system in an attempt to discover the secret keys, where the difficulty in discovering the 
□13 secret keys generally depends on the amount of information available. The cryptosystem typically 
Jl4 employs a public encryption algorithm (such as RSA, DES, etc.), therefore an attacker typically 
^15 knows the encryption algorithm and has access to ciphertext (encrypted text). However, it is 
M=16 usually very difficult to discover the secret keys with this information alone because an attacker 
Hl7 typically needs to perform various operations on the ciphertext with respect to the original 
= 18 plaintext (unencrypted text). A known cryptanalysis technique includes monitoring a cryptosystem 
fyl9 to capture plaintext before it is encrypted so that it can be analyzed together with the ciphertext. 
j^20 Another cryptanalysis technique includes performing a chosen plaintext attack by choosing the 
yp21 plaintext that is to be encrypted so as to expose vulnerabilities of a cryptosystem because the 

22 attacker can deliberately pick patterns helpful to analysis contributing to discovering the secret 

23 keys. This type of an attack can be defended against by requiring the individual clients accessing 

24 the cryptosystem to be authenticated. However, an attacker with direct access to a cryptosystem 

25 may attempt to circumvent such a requirement by tampering with the cryptosystem. Examples of 

26 tampering include inspecting, altering or replacing a component of the cryptosystem in order to 
7 force the encryption operation. 

UiSTpaEentnuix^er 5,374,819 (the '819 patent) discloses a software program executing 

29 on a CPU which provides system^peratioii^yalidation in order to prevent the software program 

30 from executing on unlicensed computer systems. TO&vdidation method requires reading a unique 

31 chip identifier (chip ID) stored in a system device, and a correspon3ing~ehipjp and an encrypted 
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1 cod^Stefeiba non-volatile memory. The encrypted code, termed a message authentication 

^\^-2 code or MAC, isgenira^ a secret key. The c 819 patent relies on 

3 uncompromised secrecy of the secret key to prevenTtampcqim which could circumvent the 

4 validation process. ^^^^ 

5 The '819 patent is susceptible to a probing attacker attempting to discover the secret key 

6 by performing a chosen plain-text attack. For example, a probing attacker could tamper with the 

7 cryptosystem to generate chosen plaintext by modifying the chip ID stored in the non-volatile 

8 memory and then evaluate the resulting MAC generated by the encryption process. Further, a 

9 probing attacker could monitor the software program as it executes on the CPU in order to 

10 observe how the chosen plaintext is being encrypted using the secret key. If the secret key is 

1 1 discovered, the security of the system is compromised since the chip ID and corresponding MAC 

12 could be altered without detection. 

□ 13 There is, therefore, a need for a tamper resistant cryptosystem which is protected from an 

jp 14 attacker employing chosen plaintext attacks. 

^15 SUMMARY OF THE INVENTION 

Ml 6 The present invention may be regarded as an integrated circuit for selectively encrypting 

r^l7 plaintext data received from a first device to produce encrypted data to send to a second device, 

s 18 The integrated circuit comprises controllable encryption circuitry comprising a data input, an 

fyl9 enable input, and a data output. The integrated circuit further comprises a plaintext input for 

r*20 providing the plaintext data to the data input, an encrypted text output for providing the 

yQ21 encrypted data from the data output, and a first control input for receiving a first device 

~ 22 authentication signal for authenticating the first device. The integrated circuit further comprises a 

23 verification circuit responsive to the first device authentication signal for producing a first 

24 verification signal for use in controlling the enable input of the encryption circuitry to enable the 

25 encryption circuitry to provide the encrypted data via the encrypted text output. 

26 The present invention may also be regarded as a method of controlling encryption circuitry 

27 within an integrated circuit by selectively encrypting plaintext data received from a first device to 

28 produce encrypted data to send to a second device. The method comprises the steps of receiving 

29 the plaintext data from the first device, receiving a first device authentication signal for 

30 authenticating the first device, producing a first verification signal in response to the first device 
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1 authentication signal, enabling the encryption circuitry in response to the first verification signal to 

2 provide the encrypted data to the second device. 

3 BRIEF DESCRIPTION OF THE DRAWINGS 

4 FIG. 1 shows an embodiment of the present invention comprising a first device for 

5 providing plaintext data to an integrated circuit comprising an encryption circuit selectively 

6 enabled by a first device authentication signal generated by the first device, and a second device 

7 for receiving the encrypted data from the integrated circuit. 

8 FIG. 2A shows a flow diagram for an embodiment of the present invention wherein an 

9 encryption operation is enabled by verifying a first device. 

10 FIG 2B shows a flow diagram for an alternative embodiment of the present invention 

1 1 wherein the encryption operation is enabled by verifying the first device 

12 and by verifying a second device, wherein the encrypted data is generated and sent to the second 
Q13 device only if both devices are verified. 

Jl4 DESCRIPTION OF THE PREFERRED EMBODIMENTS 
>j 1 5 System Overview 

1^16 FIG 1 shows an embodiment of the present invention comp rising an integrated circuit 100 

j^l7 for selectively encrypting plaintext data 102 received from a first device 104 to produce encrypted 

2 18 data 106 to send to a second device 108. The integrated circuit 100 comprises controllable 

fyl9 encryption circuitry 110 comprising a data input 112, an enable input 114, and a data output 116. 

^20 The integrated circuit 100 further comprises a plaintext input 118 for providing the plaintext data 

gQ21 102 to the data input 112, an encrypted text output 120 for providing the encrypted data 106 

™22 from the data output 116, and a first control input 122 for receiving a first device authentication 

23 signal 124 for authenticating the first device 104. A first verification circuit 130, responsive to the 

24 first device authentication signal 124, produces a first verification signal 132 for use in controlling 

25 the enable input 114 of the encryption circuitry 110 to enable the encryption circuitry 110 to 

26 provide the encrypted data 106 via the encrypted text output 120. 

27 The encryption circuitry 110 in the integrated circuit 100 will not operate unless the first 

28 device 104 has been verified which protects against a probing attacker tampering with the first 

29 device 104 in an attempt to perform a chosen plaintext attack. Further, the first device 104 will 

30 preferably not generate the first device authentication signal 124 unless a command to encrypt 

31 data is received by an authenticated client. This protects against an unauthenticated attacker 



Y:\K35A\A0576VDOCS\A576paf.doc 12/29/99 



3 



PATENT 
ATTY DOCKET K35A0576 

1 attempting to observe the first device authentication signal 124. Additional protection against 

2 observation may be provided by concealing the first device authentication signal 124 to deter 

3 probing, or by detecting an attacker's probing by, for example, monitoring changes to the 

4 impedance of the first device authentication signal 124. In an alternative embodiment discussed 

5 below, a message authentication code (MAC) is employed to protect against a chosen plaintext 

6 attack in the event that an attacker is able to observe the first device authentication signal 124. In 

7 yet another embodiment, a means is provided to verify the validity of the firmware executed by 

8 the first device 104. For example, a CRC check code may be generated for the firmware during 

9 manufacturing which is then verified during operation before generating the first device 

10 authentication signal 124. This protects against a probing attacker who tampers with the 

11 executable code in an attempt to force the first device 104 to generate the first device 

12 authentication signal 124. 

013 To provide further protection against a probing attacker, in one embodiment both the 

J=14 integrated circuit 100 and the first device 104 are implemented using tamper-resistant encryption 

~yi5 circuitry. An example discussion of tamper-resistant encryption circuitry is provided in Tygar, 

m16 ID. and Yee, B.S., "Secure Coprocessors in Electronic Commerce Applications," Proceedings 

rjl7 1995 USENIX Electronic Commerce Workshop, 1995, New York, which is incorporated herein 

2 18 by reference. 

Li 

fyl9 In another embodiment, the integrated circuit 100 comprises a second control input 126 

'fflO for receiving a second device authentication signal 128 for authenticating the second device 108, 

y321 and a second verification circuit 134 responsive to the second device authentication signal 128 for 

AS. 

as J 

"22 producing a second verification signal 136. A gating circuit 138 responsive to the first and 

23 second verification signals 124 and 128 applies an enable signal 140 to the enable input 114 to 

24 cause the controllable encryption circuitry 110 to provide the encrypted data 106 via the 

25 encrypted text output 120. In this embodiment, the encryption circuitry 110 in the integrated 

26 circuit 100 will not operate unless both the first device 104 and the second device 108 have been 

27 verified. 

28 In the embodiment of FIG. 1, a cryptosystem comprises first device 104, integrated circuit 

29 100, and second device 108, wherein the first device 104 comprises a signal processing circuit and 

30 the second device 108 comprises a non-volatile memory. For example, in one embodiment a disk 

31 drive comprises a signal processing circuit 104 (e.g., a disk control system), a disk 108, and an 
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1 integrated circuit 100 comprising encryption circuitry 1 10. The disk drive preferably comprises a 

2 head disk assembly (HDA) and a printed circuit board (PCB), where the integrated circuit 100 can 

3 be located within the HDA or on the PCB. The encryption circuitry 110 implements a suitable 

4 cipher, such as the well known symmetric Data Encryption Standard (DES) or the asymmetric 

5 Rivest- Shamir- Adleman (RSA) algorithm The encryption circuitry 1 10 is preferably implemented 

6 using suitable hardware, such as a family of linear feedback shift registers (LFSR) and other 

7 digital logic. An example of a hardware implementation of encryption circuitry is provided by 

8 Hans Eberle in "A High-Speed DES Implementation for Network Applications," Technical 

9 Report 90, DEC System Research Center, September 1992, the disclosure of which is herein 

10 incorporated by reference. 

1 1 Device Verification 

12 The first device 104 in FIG. 1 can be verified by incorporating within the first device 104 a 
Ol3 unique device identifier which is transferred to the integrated circuit 100 as the first device 
j=;14 authentication signal 124 whenever a request is received from an authenticated client to encrypt 
J^15 plaintext 102. In one embodiment, the first verification circuit 130 within the integrated circuit 
H=16 100 comprises a comparator for comparing the device identifier received over line 124 with a 
rjl7 corresponding expected device identifier. A match verifies that the first device 104 is 
5 18 authenticated and the encryption circuit 110 is enabled. The expected device identifier may be 
fyl9 hardwired into the integrated circuit 100 (including blowing fiises), or it may be stored in non- 
£720 volatile memory (such as on a disk). According to another embodiment, the expected device 
^21 identifier can be stored as an encrypted text in the first device 104 and decryption circuitry is 
^ 22 employed for decrypting the encrypted text. 

23 Verifying the first device 104 using a unique device identifier prevents an attacker from 

24 replacing the first device 104 with a foreign device, thereby protecting against chosen plaintext 

25 attacks using foreign devices. However, an attacker may attempt to inspect or alter the first 

26 device 104 directly in an attempt to force the encryption circuit 1 10 to encrypt chosen plaintext. 

27 To protect against this type of inspection or alteration, an alternate authentication technique may 

28 be employed. For example, as discussed below, the authentication technique can include 

29 monitoring variations in spectral characteristics to assist in detecting attempts to inspect or alter 

30 the encryption circuit 1 10 or the first device 104. 
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1 In an alternative embodiment, a message authentication code (MAC) implemented within 

2 the first device 104 and the integrated circuit 100 is employed for generating the first device 

3 authentication signal 124 to verify the first device 104. Any suitable technique for implementing 

4 the MAC may be employed, such as the well known DES implementation. In particular, the first 

5 device 104 comprises a first device secret key for generating an initial MAC over the plaintext 

6 102 to be encrypted by the encryption circuit 110. The initial MAC is transferred to the 

7 integrated circuit 100 as the first device authentication signal 124. The first verification circuit 

8 130 within the integrated circuit 100 generates a verification MAC over the plaintext 102 using an 

9 internal secret key corresponding to the secret key that was used by the first device 104 to 

10 generate the initial MAC. The first verification circuit 130 compares the initial MAC (first device 

1 1 authentication signal 124) to the verification MAC where a match verifies that the first device 104 

12 is authenticated. In this embodiment, the first device authentication signal 124 (i.e., the initial 
Gl3 MAC) may be observable by an attacker, but the secret keys and operation of the encryption 
1f14 algorithm to generate the initial MAC are preferably inaccessible to observation. In this manner, 
y,15 the MAC can deter employing chosen plaintext attacks since the encryption key for generating the 
M=16 MAC over the chosen plaintext must be known in order to generate the first device authentication 
rjl7 signal 124. 

3 18 Referring again to FIG. 1, another embodiment for verifying the first device 104 is to 

Hjl9 measure certain spectral characteristics of the crypto system during manufacturing, wherein the 

^20 initial spectral signature is stored in an inaccessible area of the integrated circuit 100. During 

=021 operation, the first device 104 generates an operating spectral signature for the cryptosystem 

~~22 which is transferred to the integrated circuit 100 as the first device authentication signal 124. The 

23 operating spectral signature can be transferred as a unique device identifier or included as part of 

24 a MAC. The first verification circuit 130 compares the initial spectral signature generated during 

25 manufacturing to the operating spectral signature where a match verifies that the first device 104 

26 is authenticated. Attempts to inspect or alter the cryptosystem, including attempts to induce 

27 errors by heating or irradiating the cryptosystem, will induce detectable changes in the spectral 

28 signature which will disable the encryption circuitry 110. 

29 State Machine Control 

30 In one embodiment, the integrated circuit 100 comprises state machine circuitry for 

31 implementing the device verification used to enable the encryption circuitry 110. The state 
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machine circuitry operates according to the flow diagrams set forth in FIG. 2A and 2B. At step 
142 the state machine receives a command from an authenticated client to encrypt plaintext. At 
step 144 a branch is executed based on whether the first device 104 is verified. The device 
verification may be implemented, for example, as described above. If the first device 104 is 
verified at step 144, then at step 146 the encryption circuitry 1 10 is enabled by the gating circuit 
138 and the plaintext is encrypted. The resulting encrypted data is then transferred at step 148 to 
the second device 108. If the first device 104 is not verified at step 144, then the encryption 
circuitry 110 is not enabled. FIG. 2B shows a flow diagram similar to that of FIG. 2 A with the 
additional step 150 of verifying the second device 108 before gating circuit 138 enables the 
encryption circuitry 110. 
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